Windows Analysis Report
MACHINE SPECIFICATION.exe

Overview

General Information

Sample name: MACHINE SPECIFICATION.exe
Analysis ID: 1592546
MD5: d1c6ab3629f6d71840186bd535086505
SHA1: 5591a31837bb82615ddb484a3e21c8db35420dbf
SHA256: 0c1418234d0411468fb45398076b8eed5b2a889472c9a97311069d7fb858c803
Tags: exeRedLineStealeruser-lowmal3
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: MACHINE SPECIFICATION.exe Avira: detected
Found malware configuration
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "info@kianaenergy.com", "Password": "@kiana@energy", "Server": "mail.kianaenergy.com", "To": "chuckc.wmtubewire@outlook.com", "Port": 587}
Multi AV Scanner detection for submitted file
Source: MACHINE SPECIFICATION.exe Virustotal: Detection: 36% Perma Link
Source: MACHINE SPECIFICATION.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: MACHINE SPECIFICATION.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: MACHINE SPECIFICATION.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49707 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.168.2.8:49707 -> 104.21.16.1:443 version: TLS 1.0
Source: Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411710198.0000000004420000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000000.00000003.1411166296.0000000004280000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1432414737.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1433610097.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411710198.0000000004420000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000000.00000003.1411166296.0000000004280000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1432414737.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1433610097.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0062C2A2 FindFirstFileExW, 0_2_0062C2A2
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006668EE FindFirstFileW,FindClose, 0_2_006668EE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0066698F
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0065D076
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0065D3A9
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00669642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00669642
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0066979D
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00669B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00669B2B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0065DBBE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00665C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00665C97
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 4_2_0204DE50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC037Dh 4_2_05BC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC9060h 4_2_05BC8DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCC028h 4_2_05BCBD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCC482h 4_2_05BCC1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCE878h 4_2_05BCE5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCBBD0h 4_2_05BCB928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCDFC8h 4_2_05BCDD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCE420h 4_2_05BCE178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCB778h 4_2_05BCB4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCDB70h 4_2_05BCD8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCAEC8h 4_2_05BCAC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCD2C0h 4_2_05BCD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCB320h 4_2_05BCB078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCD718h 4_2_05BCD470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC2A40h 4_2_05BC2798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC2E98h 4_2_05BC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC8C08h 4_2_05BC87E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCAA70h 4_2_05BCA7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCCE68h 4_2_05BCCBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCA1C0h 4_2_05BC9F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCA618h 4_2_05BCA370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCCA10h 4_2_05BCC768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC25E8h 4_2_05BC2340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC1D38h 4_2_05BC1A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCF128h 4_2_05BCEE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC2190h 4_2_05BC1EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC9D68h 4_2_05BC9AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC18E0h 4_2_05BC1638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BCECD0h 4_2_05BCEA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC0EC2h 4_2_05BC0E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC94B8h 4_2_05BC9210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC0EC2h 4_2_05BC0E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05BC9910h 4_2_05BC9668
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49708 -> 5.144.131.244:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTIRAN-NETWORKIR HOSTIRAN-NETWORKIR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 193.122.130.0:80
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.8:49708 -> 5.144.131.244:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49707 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.168.2.8:49707 -> 104.21.16.1:443 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_0066CE44
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: mail.kianaenergy.com
Source: RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002550000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000004.00000002.2649833145.00000000024D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kianaenergy.com
Source: RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.kianaenergy.com
Source: RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.i.lencr.org/0-
Source: RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000582000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000004.00000002.2649833145.0000000002578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.2649833145.00000000024D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0066EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0066ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0066EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_0065AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00689576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00689576

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MACHINE SPECIFICATION.exe.2580000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.MACHINE SPECIFICATION.exe.3590000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2648810250.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1437380212.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1419250581.0000000002580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Binary is likely a compiled AutoIt script file
Source: MACHINE SPECIFICATION.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: MACHINE SPECIFICATION.exe, 00000000.00000000.1401944424.00000000006B2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_63199941-a
Source: MACHINE SPECIFICATION.exe, 00000000.00000000.1401944424.00000000006B2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_8116f4a8-4
Source: MACHINE SPECIFICATION.exe, 00000003.00000002.1434705461.00000000006B2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_aad184bd-9
Source: MACHINE SPECIFICATION.exe, 00000003.00000002.1434705461.00000000006B2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_8a937656-a
Source: MACHINE SPECIFICATION.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_ebde27f2-2
Source: MACHINE SPECIFICATION.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_6bd23ee9-1
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065D5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_0065D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00651201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00651201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_0065E8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00662046 0_2_00662046
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005F8060 0_2_005F8060
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00658298 0_2_00658298
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0062E4FF 0_2_0062E4FF
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0062676B 0_2_0062676B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00684873 0_2_00684873
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005FCAF0 0_2_005FCAF0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0061CAA0 0_2_0061CAA0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0060CC39 0_2_0060CC39
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00626DD9 0_2_00626DD9
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0060B119 0_2_0060B119
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005F91C0 0_2_005F91C0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00611394 0_2_00611394
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00611706 0_2_00611706
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0061781B 0_2_0061781B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0060997D 0_2_0060997D
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005F7920 0_2_005F7920
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006119B0 0_2_006119B0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00617A4A 0_2_00617A4A
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00611C77 0_2_00611C77
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00617CA7 0_2_00617CA7
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0067BE44 0_2_0067BE44
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00629EEE 0_2_00629EEE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005FBF40 0_2_005FBF40
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00611F32 0_2_00611F32
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_01B1B290 0_2_01B1B290
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 3_2_01131EA8 3_2_01131EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00408C60 4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040DC11 4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00407C3F 4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00418CCC 4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00406CA0 4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004028B0 4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041A4BE 4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00418244 4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00401650 4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402F20 4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004193C4 4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00418788 4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402F89 4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402B90 4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004073A0 4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_02041437 4_2_02041437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_02041448 4_2_02041448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_02041199 4_2_02041199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_020411A8 4_2_020411A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC5568 4_2_05BC5568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC3048 4_2_05BC3048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC0040 4_2_05BC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC06A0 4_2_05BC06A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC62C8 4_2_05BC62C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC8DB8 4_2_05BC8DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC8DA8 4_2_05BC8DA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCBD80 4_2_05BCBD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCC1D8 4_2_05BCC1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCE5D0 4_2_05BCE5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCC1C8 4_2_05BCC1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCE5C1 4_2_05BCE5C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCB928 4_2_05BCB928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCDD20 4_2_05BCDD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCB918 4_2_05BCB918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCDD11 4_2_05BCDD11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCE178 4_2_05BCE178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCBD70 4_2_05BCBD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCE168 4_2_05BCE168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCD8BA 4_2_05BCD8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCB4D0 4_2_05BCB4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCD8C8 4_2_05BCD8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCB4C1 4_2_05BCB4C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCAC20 4_2_05BCAC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCD018 4_2_05BCD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCAC10 4_2_05BCAC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCD009 4_2_05BCD009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC0006 4_2_05BC0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCB078 4_2_05BCB078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCD470 4_2_05BCD470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCB068 4_2_05BCB068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCD461 4_2_05BCD461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCA7B9 4_2_05BCA7B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCCBB0 4_2_05BCCBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC2798 4_2_05BC2798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC2788 4_2_05BC2788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC2BF0 4_2_05BC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC87E8 4_2_05BC87E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC2BE0 4_2_05BC2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCA7C8 4_2_05BCA7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCCBC0 4_2_05BCCBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC2331 4_2_05BC2331
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC9F18 4_2_05BC9F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC9F09 4_2_05BC9F09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCA370 4_2_05BCA370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCC768 4_2_05BCC768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCA360 4_2_05BCA360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCC757 4_2_05BCC757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC2340 4_2_05BC2340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC9AB0 4_2_05BC9AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC1A90 4_2_05BC1A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC0691 4_2_05BC0691
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCEE80 4_2_05BCEE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC1A80 4_2_05BC1A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC1EE8 4_2_05BC1EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC1ED8 4_2_05BC1ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC9AC0 4_2_05BC9AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC1638 4_2_05BC1638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCEA28 4_2_05BCEA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC1627 4_2_05BC1627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCEA18 4_2_05BCEA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC9210 4_2_05BC9210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC9200 4_2_05BC9200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BCEE70 4_2_05BCEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC9668 4_2_05BC9668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05BC965A 4_2_05BC965A
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: String function: 0060F9F2 appears 40 times
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: String function: 005F9CB3 appears 31 times
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: String function: 00610A30 appears 46 times
Sample file is different than original file name gathered from version info
Source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411571697.00000000043A3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411298607.000000000454D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000000.00000002.1419250581.0000000002580000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000003.00000003.1431365627.0000000003CC3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000003.00000003.1432666962.0000000003E6D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000003.00000002.1437380212.0000000003590000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs MACHINE SPECIFICATION.exe
Uses 32bit PE files
Source: MACHINE SPECIFICATION.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MACHINE SPECIFICATION.exe.2580000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.MACHINE SPECIFICATION.exe.3590000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2648810250.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1437380212.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1419250581.0000000002580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Melber.0.dr Binary or memory string: 0ZXDVTG%M\K\FQXT1]A\VAIND58XY5RDDSQE5HYYTCTRL4X[XSDOZA0.T\0\XAVOG0MXKQFEXI1QA]V]I_D58QY%R]D[QB5PYNTET]L"XDX]DLZ_0=T^0WXSVTG5L[HPBQ]J7^G_QCNRL80\Q8ZQM_XN<DPA^L^RF;RKR\NCPN:3_R;YSO]ZL>FR@_MXT@=TMTZHEVH<4XU<^THZ]K9AUGXJXT@<ULU[IDWI=5YT=_UI[\J8@TFYKYUA<ULVXJGTJ>6ZW>\VJX_I;CWEZHZVB?VOVXJGTJ>6ZW>\VJX_I;CWEZHZVB?VOVXJGTJ?7[V?]WKY^H:BVD[I[WC>WNWYKFUK?7[V?]WKY^H:BVD[I[WC>WNWYKFUK?7[V?]XDF@U'^J_@R@MY$MWN@R_LR&/CN'EOSAI_-UASL^L@T)@Y@N]PC])!M@)KA]OH^,WCQN\NBV+B[BL^S@^*"NC*HB^LK]/WCQO]OCW*CZCM_RA_+#OB+IC_MJ\.VBPO]ODP-D]DJXUFX,$HE,NDXJM[)QEWHZHDP-D]DJXUFX,$HE,NDXJM[)QEWHZHDP-D]DKYTGY-%ID-OEYKLZ(PDVI[IEQ,E\EKYTGY-%ID-OEYKLZ(PDVI[IEQ,E\EKYTGY-8U[3V]BQYO<DSA_MXT@=ULU[JGTJ?7[V BHTFAW%\HZEWEI]#JSJDV[HW#+GJ#AKPBES!YM_@R@LX%LUMCQ\OQ%-AL%GMQCDQ#[O]BPBNZ'NWN@R^MS'/CN'EOSAFP"ZASL^L@T)@Y@N\QB\( LA(J@\NI_-UASL_MAU(AXAO]PC])!M@)KA]OH^,T@RM_MAV+B[BL^S@^*"NC*HB^LK]/WCQN\NBV+BZCM_RA_+#OB+IC_MJ\.VBPO]OCW*CZCJDIZD18TY2RXDUQG5IYKTCTXL7XAXQDIZL08TS0RXHVQG;MYKDFTXX1XA@VDIFD08tY0RpDVQw5MYsTFT
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/1@3/3
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006637B5 GetLastError,FormatMessageW, 0_2_006637B5
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006510BF AdjustTokenPrivileges,CloseHandle, 0_2_006510BF
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_006516C3
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_006651CD
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0067A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0067A67C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0066648E
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_005F42A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe File created: C:\Users\user\AppData\Local\Temp\Melber Jump to behavior
Source: MACHINE SPECIFICATION.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000004.00000002.2649833145.00000000025EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.00000000025FA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.00000000025CB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MACHINE SPECIFICATION.exe Virustotal: Detection: 36%
Source: MACHINE SPECIFICATION.exe ReversingLabs: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process created: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process created: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: MACHINE SPECIFICATION.exe Static file information: File size 1612288 > 1048576
Source: MACHINE SPECIFICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MACHINE SPECIFICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MACHINE SPECIFICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MACHINE SPECIFICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MACHINE SPECIFICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MACHINE SPECIFICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: MACHINE SPECIFICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411710198.0000000004420000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000000.00000003.1411166296.0000000004280000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1432414737.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1433610097.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411710198.0000000004420000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000000.00000003.1411166296.0000000004280000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1432414737.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1433610097.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
Source: MACHINE SPECIFICATION.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MACHINE SPECIFICATION.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MACHINE SPECIFICATION.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MACHINE SPECIFICATION.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MACHINE SPECIFICATION.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_005F42DE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00610A76 push ecx; ret 0_2_00610A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041C40C push cs; iretd 4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00423149 push eax; ret 4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041C50E push cs; iretd 4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004231C8 push eax; ret 4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040E21D push ecx; ret 4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041C6BE push ebx; ret 4_2_0041C6BF
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0060F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0060F98E
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00681C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00681C41
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe API/Special instruction interceptor: Address: 1B1AEB4
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe API/Special instruction interceptor: Address: 1131ACC
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 4_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7804 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2056 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe API coverage: 3.4 %
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0062C2A2 FindFirstFileExW, 0_2_0062C2A2
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006668EE FindFirstFileW,FindClose, 0_2_006668EE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0066698F
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0065D076
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0065D3A9
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00669642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00669642
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0066979D
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00669B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00669B2B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0065DBBE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00665C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00665C97
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_005F42DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99120 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98793 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97113 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96975 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96682 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96575 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96459 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96314 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96193 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94967 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94634 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94422 Jump to behavior
Source: RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0066EAA2 BlockInput, 0_2_0066EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00622622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00622622
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 4_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_005F42DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00614CE8 mov eax, dword ptr fs:[00000030h] 0_2_00614CE8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_01B1B180 mov eax, dword ptr fs:[00000030h] 0_2_01B1B180
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_01B1B120 mov eax, dword ptr fs:[00000030h] 0_2_01B1B120
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_01B19AE0 mov eax, dword ptr fs:[00000030h] 0_2_01B19AE0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 3_2_01131D98 mov eax, dword ptr fs:[00000030h] 3_2_01131D98
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 3_2_01131D38 mov eax, dword ptr fs:[00000030h] 3_2_01131D38
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 3_2_011306F8 mov eax, dword ptr fs:[00000030h] 3_2_011306F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00650B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00650B62
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00622622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00622622
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0061083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0061083F
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006109D5 SetUnhandledExceptionFilter, 0_2_006109D5
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00610C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00610C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004123F1 SetUnhandledExceptionFilter, 4_2_004123F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 2FC008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00651201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00651201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00632BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00632BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0065B226 SendInput,keybd_event, 0_2_0065B226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_006722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_006722DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00650B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00650B62
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00651663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00651663
Source: MACHINE SPECIFICATION.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: MACHINE SPECIFICATION.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00610698 cpuid 0_2_00610698
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA, 4_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00668195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_00668195
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0064D27A GetUserNameW, 0_2_0064D27A
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_0062B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_0062B952
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_005F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_005F42DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: MACHINE SPECIFICATION.exe Binary or memory string: WIN_81
Source: MACHINE SPECIFICATION.exe Binary or memory string: WIN_XP
Source: MACHINE SPECIFICATION.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: MACHINE SPECIFICATION.exe Binary or memory string: WIN_XPe
Source: MACHINE SPECIFICATION.exe Binary or memory string: WIN_VISTA
Source: MACHINE SPECIFICATION.exe Binary or memory string: WIN_7
Source: MACHINE SPECIFICATION.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00671204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00671204
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe Code function: 0_2_00671806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00671806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592546 Sample: MACHINE SPECIFICATION.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 26 reallyfreegeoip.org 2->26 28 mail.kianaenergy.com 2->28 30 3 other IPs or domains 2->30 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 44 10 other signatures 2->44 8 MACHINE SPECIFICATION.exe 1 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 26->42 process4 signatures5 46 Binary is likely a compiled AutoIt script file 8->46 11 MACHINE SPECIFICATION.exe 8->11         started        14 RegSvcs.exe 8->14         started        process6 signatures7 48 Binary is likely a compiled AutoIt script file 11->48 50 Writes to foreign memory regions 11->50 52 Maps a DLL or memory area into another process 11->52 16 RegSvcs.exe 15 2 11->16         started        process8 dnsIp9 20 kianaenergy.com 5.144.131.244, 49708, 587 HOSTIRAN-NETWORKIR Iran (ISLAMIC Republic Of) 16->20 22 checkip.dyndns.com 193.122.130.0, 49706, 80 ORACLE-BMC-31898US United States 16->22 24 reallyfreegeoip.org 104.21.16.1, 443, 49707 CLOUDFLARENETUS United States 16->24 32 Tries to steal Mail credentials (via file / registry access) 16->32 34 Tries to harvest and steal browser information (history, passwords, etc) 16->34 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.16.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
5.144.131.244
 kianaenergy.com Iran (ISLAMIC Republic Of)
59441 HOSTIRAN-NETWORKIR true
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
kianaenergy.com 5.144.131.244 true
reallyfreegeoip.org 104.21.16.1 true
checkip.dyndns.com 193.122.130.0 true
mail.kianaenergy.com unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/8.46.123.189 false
      		high